jQuery Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in jQuery. This issue affects versions greater than or equal to 1.0.3 and prior to 3.5.0. The vulnerability arises when HTML containing <option> elements from untrusted sources is passed to jQuery's DOM manipulation methods, such as .html() or .append(). Even if the HTML is sanitized, it may still execute untrusted code. This vulnerability is particularly concerning because it can be exploited through common jQuery methods that manipulate the DOM.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use jQuery versions between 1.0.3 and 3.4.1. Pass unsanitized HTML containing <option> elements into a jQuery DOM manipulation method like .html() or .append().

Remediation

Upgrade to jQuery version 3.5.0 or later, where this vulnerability has been fixed. If you need to use an older version, sanitize the HTML with DOMPurify using the 'SAFE_FOR_JQUERY' option before passing it to jQuery.